Tag Archives: Spear-phishing

The standard-issue phishing attack relies on sheer numbers as the key to its success; by sending tens of millions of emails, the chances of hooking a few thousand victims is pretty good, regardless of how sophisticated the message itself is.

But there is another type of phishing attack, known as spear phishing, which exchanges quantity for quality, by using insider information to target businesses. Spear phishing attacks are smaller in scale but arguably more effective than their poorly-spelled, randomly-selected cousins.

In a spear phishing attack, you might get a message at your job that appears to come from someone you work with, often a member of management or from another department. This message may request information about financial accounts, login and password information, ask you to open a file or link, or ask that you authorize a wire transfer from your employer’s account. If you comply with these directions, you will make your company vulnerable to financial or data loss.

Most established businesses have a website that reveals the names of management, the board of directors, and people from various departments, which gives would-be cybercriminals the information they need to impersonate an insider.

Communication is the key to preventing spear phishing attacks. Think about any request received via email – is this how the head of the IT department or the CEO really talks? Why are they sending you a file out of the blue? Is it your job to initiate wire transfers? The best defense is to simply confirm with the apparent sender if the message is legitimate or not. Spear phishing attacks use some of the same techniques as regular phishing emails, such as disguised links or infected file attachments. It pays to double-check before you take any action.

It starts with a “spear-phishing” message. Spear-phishing is a targeting form of phishing, made to look like it comes from someone you know, possibly a friend or employer. This message, rather than the usual phishing angle (“click this link to verify your account information”) will either contain a malware-infected attachment, or will link to a website that infects the user’s computer with malware.

This malware includes a keylogger program, which sends a record of keystrokes back to whoever originated the scheme. Once the victim logs into one of their financial institution accounts, this information is relayed back to the crooks.

At this point, the crooks will use either wire or ACH transfers to remove money from the victim’s account. However, it doesn’t end here.

The next victims in the process are those who have fallen for some form of work-at-home scheme (usually “processing payments” or similar). The money stolen from the first victim is wired into an account held by the next victim, who then transfers it back to the criminals, thinking they are actually processing a “payment” from the original victim.

So, they’re not just logging keystrokes to steal money from one group, they’re using a second set of victims to launder the money for them.

It would be brilliant if it weren’t so slimy.

This got me thinking about US Surveys, Inc., whom I wrote about a couple months ago. In doing research on this obvious mystery shopper scam, I actually came across a few victims who, at least for their first “assignment,” had actually made around $100. “They wired $900 into my Citibank account, then had me wire $800 back to them.” It was only on their second “assignment,” when they were asked to wire their own money first, that they began to wise up.

I thought that was kind of weird at the time. Were they actually paying you the first time just to earn your trust? It seemed like an awfully big gamble, since people were realizing that it was a scam soon afterwards (not to mention the risk of someone just taking the $900 and running).

Now it makes sense. The initial $900 was probably money stolen from a spear-phishing victim. That $100 these people had made was their payoff for helping someone launder money. They weren’t being ripped off initially, but they were helping a criminal conceal the source of funds.

The second, “Now wire us your money first” assignment was probably just an attempt at an extra payoff on their way out the door; by that point, the original victim (whose money was being laundered in the first transaction) had most likely discovered the fraud and locked the account. Thieves have to move quickly from victim to victim these days.

What all this leads me to is the following:

Keep your virus protection up-to-date

Learn about different types of scams so you’ll know what to watch for

Do not become involved in work-at-home schemes that involve “processing payments” or wire transfers; these are money laundering schemes; the only real ways to legitimately work at home are to start your own business, or to work for a company that allows telecommuting

The multi-level integration of these different types of fraud is terribly sophisticated; this is organized crime

Because of #4 above, your best bet is just to avoid, avoid, avoid. Lose any big ideas you might have about trying to “scam the scammers”

If you are a victim of this type of crime, in addition to the standard credit locks and police reports, file a complaint with the IC3; your information could help federal law enforcement stop this type of crime in the future.